{"id":19887949,"url":"https://github.com/pkgdeps/update-github-actions-permissions","last_synced_at":"2025-05-02T17:31:23.813Z","repository":{"id":42020672,"uuid":"382539703","full_name":"pkgdeps/update-github-actions-permissions","owner":"pkgdeps","description":"A CLI that update GitHub Actions's `permissions` automatically","archived":false,"fork":false,"pushed_at":"2023-06-27T01:33:37.000Z","size":315,"stargazers_count":62,"open_issues_count":0,"forks_count":10,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-03-24T11:02:32.935Z","etag":null,"topics":["github-actions","permissions","security","tool"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/pkgdeps.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-07-03T06:08:36.000Z","updated_at":"2023-11-05T01:52:55.000Z","dependencies_parsed_at":"2023-02-17T04:45:40.356Z","dependency_job_id":null,"html_url":"https://github.com/pkgdeps/update-github-actions-permissions","commit_stats":null,"previous_names":[],"tags_count":30,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pkgdeps%2Fupdate-github-actions-permissions","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pkgdeps%2Fupdate-github-actions-permissions/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pkgdeps%2Fupdate-github-actions-permissions/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pkgdeps%2Fupdate-github-actions-permissions/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/pkgdeps","download_url":"https://codeload.github.com/pkgdeps/update-github-actions-permissions/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224324514,"owners_count":17292521,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github-actions","permissions","security","tool"],"created_at":"2024-11-12T18:05:31.257Z","updated_at":"2024-11-12T18:05:32.038Z","avatar_url":"https://github.com/pkgdeps.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# @pkgdeps/update-github-actions-permissions [![Actions Status: test](https://github.com/pkgdeps/update-github-actions-permissions/workflows/test/badge.svg)](https://github.com/pkgdeps/update-github-actions-permissions/actions?query=workflow%3A\"test\")\n\nUpdate GitHub Actions\u0026#39;s `permissions` automatically.\n\n|                    Before                    |                   After                    |\n|:--------------------------------------------:|:------------------------------------------:|\n| ![Before: Actions file](docs/img/before.png) | ![After: Actions file](docs/img/after.png) |\n\n## Features\n\n- Static Analytics\n- Detect using Actions and add `permissions` field to your action yaml file\n- Support 500+ GitHub Actions\n\n## Install\n\nInstall with [npm](https://www.npmjs.com/):\n\n    npm install @pkgdeps/update-github-actions-permissions --global\n\nor Install and Run via `npx` command:\n\n    npx @pkgdeps/update-github-actions-permissions \".github/workflows/*.{yaml,yml}\"\n\n## Usage\n\n    Usage\n      $ update-github-actions-permissions \"[file|glob]\"\n \n    Options\n      --defaultPermissions                [String] \"write-all\" or \"read-all\" or \"{}\". Default: \"write-all\"\n                                          https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs\n      --verbose                           [Boolean] If enable verbose, output debug info.\n      --use-rule-definitions              [String[]] Use rule definitions. Default: [\"default\", \"step-security\"]\n \n    Examples\n      $ update-github-actions-permissions \".github/workflows/test.yml\"\n      # multiple inputs\n      $ update-github-actions-permissions \".github/workflows/test.yml\" \".github/workflows/publish.yml\" \n      $ update-github-actions-permissions \".github/workflows/*.{yml,yaml}\"\n\n\n## Add New Actions\n\nThis tool manage `permissions` in [actions.yml](./actions.yml).\n\nIf you want to improve the `permissions` definitions, please edit [actions.yml](./actions.yml).\n\n1. Edit [actions.yml](./actions.yml)\n2. Submit a Pull Request\n\n\n📝 This tool includes [step-security/secure-repo](https://github.com/step-security/secure-repo) definitions.\nIf same action is defined in both, this tool prefer to use  [actions.yml](./actions.yml).\nThis order can be changed via `--use-rule-definitions` flag.\n\n### `permissions` examples\n\nNo require any permissions:\n\n```yaml\nactions/setup-node:\n```\n\nRead Content permissions:\n\n```yaml\nactions/checkout:\n  permissions:\n    contents: read\n```\n\nIssue/Pull Request comments permissions:\n\n\n```yaml\nactions/stale:\n  permissions:\n    issues: write\n    pull-requests: write\n```\n\nUpdate content and create Pull Request permissions:\n\n```yaml\npeter-evans/create-pull-request:\n  permissions:\n    contents: write\n    pull-requests: write\n```\n\n**References**\n\n- [Automatic token authentication - GitHub Docs](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token)\n- [Permissions required for GitHub Apps - GitHub Docs](https://docs.github.com/en/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28)\n\n## Detection logics\n\n- Read your workflow file\n- Collect `uses` actions or `env` which is using `${{ secrets.GITHUB_TOKEN }}`\n- Match actions with [actions.yml](./actions.yml)\n- If found unknown actions, write `defaultPermissions`(`permissions: write-all`) to workflow file.\n- If found `env` usage, write `defaultPermissions`(`permissions: write-all`) to workflow file.\n    - :memo: `NODE_AUTH_TOKEN` is special pattern. Current treats it as `contents: read` and `packages: write`.\n- Else, put `permission: \u003ccombined permissions\u003e` to workflow file.\n\n## References\n\n- 2023-02-03: GitHub change default permission to `contents: read`\n    - [GitHub Actions - Updating the default GITHUB_TOKEN permissions to read-only | GitHub Changelog](https://github.blog/changelog/2023-02-02-github-actions-updating-the-default-github_token-permissions-to-read-only/)\n\n## Changelog\n\nSee [Releases page](https://github.com/pkgdeps/update-github-actions-permissions/releases).\n\n## Alternatives\n\n- [GitHubSecurityLab/actions-permissions: GitHub token permissions Monitor and Advisor actions](https://github.com/GitHubSecurityLab/actions-permissions)\n  - This Actions do dymamic analytics\n\n## Running tests\n\nInstall devDependencies and Run `npm test`:\n\n    npm test\n\n## Contributing\n\nPull requests and stars are always welcome.\n\nFor bugs and feature\nrequests, [please create an issue](https://github.com/pkgdeps/update-github-actions-permissions/issues).\n\n1. Fork it!\n2. Create your feature branch: `git checkout -b my-new-feature`\n3. Commit your changes: `git commit -am 'Add some feature'`\n4. Push to the branch: `git push origin my-new-feature`\n5. Submit a pull request :D\n\n## Author\n\n- azu: [GitHub](https://github.com/azu), [Twitter](https://twitter.com/azu_re)\n\n## License\n\nThis package is licensed under the AGPL(GNU Affero General Public License) v3.0.\nBecause this package includes AGPL-licensed [third-party](third-party/) resources like [step-security/secure-repo](https://github.com/step-security/secure-repo).\n\n- [step-security.yml](third-party/step-security.yml): AGPL v3.0 ©️ [step-security/secure-repo](https://github.com/step-security/secure-repo)\n\nHowever, Next files are available under the [MIT license](./LICENSE-MIT):\n\n- `bin/*`\n- `src/*`\n- `lib/*`\n- `module/*`\n- `test/*`\n- `action.yml`\n\n## Related\n\n- [step-security/secure-repo: Secure GitHub Actions CI/CD workflows via automated remediations](https://github.com/step-security/secure-repo)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpkgdeps%2Fupdate-github-actions-permissions","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpkgdeps%2Fupdate-github-actions-permissions","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpkgdeps%2Fupdate-github-actions-permissions/lists"}